Re: [PATCH nf-next v9 2/3] net: netfilter: Add IPIP flowtable tx sw acceleration

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Pablo Neira Ayuso <pablo@netfilter.org>
To: Lorenzo Bianconi <lorenzo@kernel.org>
Cc: "David S. Miller" <davem@davemloft.net>,
	David Ahern <dsahern@kernel.org>,
	Eric Dumazet <edumazet@google.com>,
	Jakub Kicinski <kuba@kernel.org>, Paolo Abeni <pabeni@redhat.com>,
	Simon Horman <horms@kernel.org>,
	Jozsef Kadlecsik <kadlec@netfilter.org>,
	Shuah Khan <shuah@kernel.org>,
	Andrew Lunn <andrew+netdev@lunn.ch>, Phil Sutter <phil@nwl.cc>,
	Florian Westphal <fw@strlen.de>,
	netdev@vger.kernel.org, netfilter-devel@vger.kernel.org,
	coreteam@netfilter.org, linux-kselftest@vger.kernel.org
Subject: Re: [PATCH nf-next v9 2/3] net: netfilter: Add IPIP flowtable tx sw acceleration
Date: Mon, 17 Nov 2025 23:54:05 +0100	[thread overview]
Message-ID: <aRunjT-HYQ-UeR_-@calendula> (raw)
In-Reply-To: <aRWLhLobB4Rz0dA_@lore-desk>

On Thu, Nov 13, 2025 at 08:40:52AM +0100, Lorenzo Bianconi wrote:
> > Hi Lorenzo,
> 
> Hi Pablo,
> 
> > 
> > On Wed, Nov 12, 2025 at 05:02:37PM +0100, Lorenzo Bianconi wrote:
> > [...]
> > > > On Fri, Nov 07, 2025 at 12:14:47PM +0100, Lorenzo Bianconi wrote:
> > > > [...]
> > > > > @@ -565,8 +622,9 @@ nf_flow_offload_ip_hook(void *priv, struct sk_buff *skb,
> > > > >  
> > > > >  	dir = tuplehash->tuple.dir;
> > > > >  	flow = container_of(tuplehash, struct flow_offload, tuplehash[dir]);
> > > > > +	other_tuple = &flow->tuplehash[!dir].tuple;
> > > > >  
> > > > > -	if (nf_flow_encap_push(skb, &flow->tuplehash[!dir].tuple) < 0)
> > > > > +	if (nf_flow_encap_push(state->net, skb, other_tuple))
> > > > >  		return NF_DROP;
> > > > >  
> > > > >  	switch (tuplehash->tuple.xmit_type) {
> > > > > @@ -577,7 +635,9 @@ nf_flow_offload_ip_hook(void *priv, struct sk_buff *skb,
> > > > >  			flow_offload_teardown(flow);
> > > > >  			return NF_DROP;
> > > > >  		}
> > > > > -		neigh = ip_neigh_gw4(rt->dst.dev, rt_nexthop(rt, flow->tuplehash[!dir].tuple.src_v4.s_addr));
> > > > > +		dest = other_tuple->tun_num ? other_tuple->tun.src_v4.s_addr
> > > > > +					    : other_tuple->src_v4.s_addr;
> > > > 
> > > > I think this can be simplified if my series use the ip_hdr(skb)->daddr
> > > > for rt_nexthop(), see attached patch. This would be fetched _before_
> > > > pushing the tunnel and layer 2 encapsulation headers. Then, there is
> > > > no need to fetch other_tuple and check if tun_num is greater than
> > > > zero.
> > > > 
> > > > See my sketch patch, I am going to give this a try, if this is
> > > > correct, I would need one more iteration from you.
> > > >
> > > > diff --git a/net/netfilter/nf_flow_table_ip.c b/net/netfilter/nf_flow_table_ip.c
> > > > index 8b74fb34998e..ff2b6c16c715 100644
> > > > --- a/net/netfilter/nf_flow_table_ip.c
> > > > +++ b/net/netfilter/nf_flow_table_ip.c
> > > > @@ -427,6 +427,7 @@ nf_flow_offload_ip_hook(void *priv, struct sk_buff *skb,
> > > >  	struct flow_offload *flow;
> > > >  	struct neighbour *neigh;
> > > >  	struct rtable *rt;
> > > > +	__be32 ip_dst;
> > > >  	int ret;
> > > >  
> > > >  	tuplehash = nf_flow_offload_lookup(&ctx, flow_table, skb);
> > > > @@ -449,6 +450,7 @@ nf_flow_offload_ip_hook(void *priv, struct sk_buff *skb,
> > > >  
> > > >  	dir = tuplehash->tuple.dir;
> > > >  	flow = container_of(tuplehash, struct flow_offload, tuplehash[dir]);
> > > > +	ip_dst = ip_hdr(skb)->daddr;
> > > 
> > > I agree this patch will simplify my series (thx :)) but I guess we should move
> > > ip_dst initialization after nf_flow_encap_push() since we need to route the
> > > traffic according to the tunnel dst IP address, right?
> > 
> > Right, I made a quick edit, it looks like this:
> > 
> > @@ -566,9 +624,14 @@ nf_flow_offload_ip_hook(void *priv, struct sk_buff *skb,
> >  
> >         dir = tuplehash->tuple.dir;
> >         flow = container_of(tuplehash, struct flow_offload, tuplehash[dir]);
> > +       other_tuple = &flow->tuplehash[!dir].tuple;
> > +
> > +       if (nf_flow_tunnel_push(skb, other_tuple) < 0)
> > +               return NF_DROP;
> > +
> >         ip_daddr = ip_hdr(skb)->daddr;
> >  
> > -       if (nf_flow_encap_push(skb, &flow->tuplehash[!dir].tuple) < 0)
> > +       if (nf_flow_encap_push(skb, other_tuple) < 0)
> >                 return NF_DROP;
> >  
> >         switch (tuplehash->tuple.xmit_type) {
> > 
> > That is, after tunnel header push but before pushing l2 encap (that
> > could possibly modify skb_network_header pointer), fetch the
> > destination address.
> > 
> > I made a few more comestic edits on your series and I pushed them out
> > to this branch:
> > 
> > https://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf-next.git/log/?h=flowtable-consolidate-xmit%2bipip
> [
> 
> ack, I tested this branch and it works fine running my local tests. Thanks for
> fixing pending bits.

I need this one more little change below.

> > I just noticed, in nf_flow_tunnel_ipip_push(), that this can be removed:
> > 
> >         memset(IPCB(skb), 0, sizeof(*IPCB(skb)));
> > 
> > because this packet never entered the IP layer, the flowtable takes it
> > before it can get there.

I have removed this memset and pushed out a new branch:

flowtable-consolidate-xmit+ipip2

This should be good to go.

Thanks.

next prev parent reply	other threads:[~2025-11-17 22:54 UTC|newest]

Thread overview: 12+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-11-07 11:14 [PATCH nf-next v9 0/3] Add IPIP flowtable SW acceleration Lorenzo Bianconi
2025-11-07 11:14 ` [PATCH nf-next v9 1/3] net: netfilter: Add IPIP flowtable rx sw acceleration Lorenzo Bianconi
2025-11-07 11:14 ` [PATCH nf-next v9 2/3] net: netfilter: Add IPIP flowtable tx " Lorenzo Bianconi
2025-11-12 12:55   ` Pablo Neira Ayuso
2025-11-12 16:02     ` Lorenzo Bianconi
2025-11-12 23:10       ` Pablo Neira Ayuso
2025-11-13  7:40         ` Lorenzo Bianconi
2025-11-17 22:54           ` Pablo Neira Ayuso [this message]
2025-11-17 23:53             ` Lorenzo Bianconi
2025-11-19  0:13               ` Pablo Neira Ayuso
2025-11-19 11:19                 ` Lorenzo Bianconi
2025-11-07 11:14 ` [PATCH nf-next v9 3/3] selftests: netfilter: nft_flowtable.sh: Add IPIP flowtable selftest Lorenzo Bianconi

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=aRunjT-HYQ-UeR_-@calendula \
    --to=pablo@netfilter.org \
    --cc=andrew+netdev@lunn.ch \
    --cc=coreteam@netfilter.org \
    --cc=davem@davemloft.net \
    --cc=dsahern@kernel.org \
    --cc=edumazet@google.com \
    --cc=fw@strlen.de \
    --cc=horms@kernel.org \
    --cc=kadlec@netfilter.org \
    --cc=kuba@kernel.org \
    --cc=linux-kselftest@vger.kernel.org \
    --cc=lorenzo@kernel.org \
    --cc=netdev@vger.kernel.org \
    --cc=netfilter-devel@vger.kernel.org \
    --cc=pabeni@redhat.com \
    --cc=phil@nwl.cc \
    --cc=shuah@kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.